[
https://issues.apache.org/jira/browse/HADOOP-18033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17564712#comment-17564712
]
Viraj Jasani edited comment on HADOOP-18033 at 7/10/22 7:08 PM:
----------------------------------------------------------------
{quote}In my past experience, Jersey 2.x upgrade takes a lot of time and I
think it will cause some incompatible changes.
{quote}
I agree that 3.3 subsequent releases should not wait for Jersey 2 because of
the sheer volume of changes and incompatibility with Jersey 1.
>From my previous comment:
{quote}FWIW, although Hadoop 3.3 could revert this for 3.3.4 release but from
security viewpoint, staying up with latest Jackson2 is also in good favour of
3.3 release line, given that 3.3 is the latest release line.
{quote}
we might have to call out on the Jackson CVE that we claimed to have fixed with
3.3.2 and 3.3.3 and now 3.3.4 would get it exposed with the revert.
IIRC, Jersey 1.19 is not flagged by security for active CVEs but Jackson
versions <= 2.12 are?
But I can understand that since it is breaking downstreamers, it might be worth
reverting this and HADOOP-18178 at the expense of known CVE exposure.
was (Author: vjasani):
{quote}In my past experience, Jersey 2.x upgrade takes a lot of time and I
think it will cause some incompatible changes.
{quote}
I agree that 3.3 subsequent releases should not wait for Jersey 2 because of
the sheer volume of changes and incompatibility with Jersey 1.
>From my previous comment:
{quote}FWIW, although Hadoop 3.3 could revert this for 3.3.4 release but from
security viewpoint, staying up with latest Jackson2 is also in good favour of
3.3 release line, given that 3.3 is the latest release line.
{quote}
we might have to call out on the Jackson CVE that we claimed to have fixed with
3.3.2 and 3.3.3 and now 3.3.4 would get it exposed with the revert.
IIRC, Jersey 1.19 is not flagged by security for active CVEs but Jackson
versions <= 2.12 are?
But I can understand that since it is breaking downstreamers, it might be worth
reverting this.
> Upgrade fasterxml Jackson to 2.13.0
> -----------------------------------
>
> Key: HADOOP-18033
> URL: https://issues.apache.org/jira/browse/HADOOP-18033
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build
> Reporter: Akira Ajisaka
> Assignee: Viraj Jasani
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.2
>
> Time Spent: 5.5h
> Remaining Estimate: 0h
>
> Spark 3.2.0 depends on Jackson 2.12.3. Let's upgrade to 2.12.5 (2.12.x latest
> as of now) or upper.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
